Exploring Android Vulnerabilities and Binder: Part I

Exploring Android Vulnerabilities and Binder: Part I

Binder is an IPC (Inter Process Communication) component that forms the basis of Android. There are multiple subsystems in Android and the communication between them is provided by Binder. In this blog post, we will trigger a UAF vulnerability (CVE-2019-2215) in Binder from scratch. After preparing the necessary environment and tools, we will try to reach the KASAN output with the POC exploit.

*A-141720095(CVE-2019-2215)


Requirements for the experiment:

  • Ubuntu 20.04 (Version doesn’t matter)

  • Java 8

  • Android Studio

  • Android Emulator

  • Android SDK Platform Tools

  • Android NDK

  • Android 10 Virtual Device

  • Goldfish 4.14 Kernel

  • POC Exploit

  • Patience

 

Creating Reproduction Environment

From the list above you just need to install Ubuntu, for the rest we will follow a step-by-step process. Once the Ubuntu installation is complete, you should install the Java 8 JRE packages on your computer with the `sudo apt install openjdk-8-jre-headless` command.

After this stage, download Android Studio using snap by writing `sudo snap install android-studio`.

Except for Kernel and Exploit, we next download all the remaining requirements with the help of Android Studio.

When you download and open Android Studio with snap, it will create a new folder named Android in your home directory. It will load all the tools we will use in another folder named Sdk under the Android folder.

Android Vulnerability

After Android Studio installation is complete, we need to open SDK Manager with More Actions button and download other requirements such as Android Emulator and NDK.

 

Open the SDK Tools tab, choose the NDK, Emulator, SDK Platform-Tools sections, and then download them by clicking apply.

Android Vulnerability

 

After completing these processes, necessary environment for the POC is now successfully created. In order to use the tools provided by Android Studio from the terminal, we need to make certain changes in the PATH.

export PATH=$PATH:~/Android/Sdk/emulator
export PATH=$PATH:~/Android/Sdk/tools
export PATH=$PATH:~/Android/Sdk/platform-tools
export PATH=$PATH:~/Android/Sdk/ndk/"CURRENT_NDK_VER"/toolchains/llvm/prebuilt/linux-x86_64/bin

Now, we are ready to start.

 

Let’s create an Android 10 device using Android-Studio. Follow the steps:

Android Vulnerability

Android Vulnerability

Android Vulnerability

 

You can change the options you see above, which include the device skin and certain variables such as RAM, Camera, Sensor. Since they are not critical for reproduction, they can be changed as desired.
Android Vulnerability

 

Now, we choose System Image for the device we are creating. Downloaded system images are stored in `~/Android/Sdk/system-images` folder. You can download the image you want via the download button. In the example, we will use x86_64 Android 10.
Android Vulnerability

Next, we define a name for device and create the device.
Android Vulnerability

Once the device is created, it will be visible in the list. At this point, it is possible to run the device over Android-Studio, but after this process, we will work completely through the terminal. We will need it to read the kernel outputs and run the emulator with specific parameters.

Next Step: Building Custom Vulnerable Kernel With KASAN

There are multiple kernels distributed by Google for the use on Android. The Goldfish kernel has been developed to work in the emulator. Goldfish 4.14 Kernel for Android 10 is running smoothly. In the vulnerability that we will reproduce, the KASAN config must be enabled while the kernel is being built. In addition, the lines where the vulnerability is resolved are deleted and the kernel is built in a vulnerable way. Apart from these, each different kernel and Android version brings with it different compiler sets. The compiler we will use here will be gcc-4.9-android-10-r47. Let’s download the kernel and compiler set from the links below.

Goldfish-4.14-dev

Gcc-4.9-android-10-r47

After moving the downloaded files to the same directory, we first need to make some changes on the PATH.Android Vulnerability

In example, we have two folders under the aosp directory, src and x86_64-linux-android-4.9. Among them, src contains the kernel codes, while x86_64-linux-android-4.9 contains the compiler set.

export PATH=$PATH:$PWD/x86_64-linux-android-4.9/bin
export CROSS_COMPILE=x86_64-linux-android-
export ARCH=x86_64

With these variables that we export sequentially, we can use the compiler set we specially downloaded while building the kernel. Then we go to kernel files in the src directory and configure x86_64_ranchu_defconfig file under the /arch/x86/config directory for KASAN.
Android Vulnerability

With the required additions to the config file, KASAN and some other useful kernel features become enabled.

CONFIG_KASAN=y
CONFIG_KASAN_INLINE=y
CONFIG_KCOV=y
CONFIG_SLUB=y
CONFIG_SLUB_DEBUG=y

The next step is to comment out certain code lines to make the kernel vulnerable again.

As can be seen here, the vulnerability was fixed by adding an if block. (LINK)

We can make a vulnerable kernel by deleting the if block from the /drivers/android/binder.c file in src folder.

Android Vulnerability
Now vulnerable KASAN kernel is ready and we begin the building phase. We run the make x86_64_ranchu_defconfig command after going to src, which is the kernel home directory. And then we start building by running the make command in the same directory. After the building process, which takes 5-10 minutes on average, the custom kernel will be ready on /arch/x86/boot/bzImage.
Android Vulnerability

Now we are ready to run the emulator with a custom kernel. For this, it is enough to write the following command.

emulator @POC -no-snapshot -verbose -kernel "bzImage_Full_Path" -show-kernel

After that, what needs to be done in the remaining part is to compile the POC code and run it on a custom android device with the help of adb. And then it will be possible to see the USE AFTER FREE warning among the kernel messages.

In Part II of this research blog, we will build the POC code and run it. Stay tuned!